Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it Don't use this one! This one produces kernel panics after a few hours on my systems. I suggest to use the one from the 2.2.25-ow2 patch. You can find it at http://www.openwall.com/linux (mentioned that also in another thread). Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it Don't use this one! This one produces kernel panics after a few hours on my systems. I suggest to use the one from the 2.2.25-ow2 patch. You can find it at http://www.openwall.com/linux (mentioned that also in another thread). Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
For those who are interessted Solar Designer updated his OpenWall patch with a fix for the mremap bug. See http://www.openwall.com/linux/ Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
For those who are interessted Solar Designer updated his OpenWall patch with a fix for the mremap bug. See http://www.openwall.com/linux/ Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it I had a privat discussion about this patch with someone from the Debian Security Team and he's not very happy with this patch. First it changes some printk messages wich is uncommon for sec patches. Second it changes functions which can result in kernel incompatibility. Anyway I had a kernel panic short after deploying this patch on one of my boxes here. I'm not sure if it's related to this patch but strange anyway. If you can I would advise you to wait until the OpenWall project comes up with a clean patch. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
> 2.2 series of kernels, sincee they're apparently vulnerable too? You can find the patch on bugtraq/isec/etc, attached is a peek at it -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 --- linux/mm/mremap.c.security Sun Mar 25 20:31:03 2001 +++ linux/mm/mremap.c Thu Feb 19 05:10:34 2004 @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -25,7 +26,7 @@ if (pgd_none(*pgd)) goto end; if (pgd_bad(*pgd)) { - printk("move_one_page: bad source pgd (%08lx)\n", pgd_val(*pgd)); + printk("copy_one_page: bad source pgd (%08lx)\n", pgd_val(*pgd)); pgd_clear(pgd); goto end; } @@ -34,7 +35,7 @@ if (pmd_none(*pmd)) goto end; if (pmd_bad(*pmd)) { - printk("move_one_page: bad source pmd (%08lx)\n", pmd_val(*pmd)); + printk("copy_one_page: bad source pmd (%08lx)\n", pmd_val(*pmd)); pmd_clear(pmd); goto end; } @@ -57,34 +58,22 @@ return pte; } -static inline int copy_one_pte(pte_t * src, pte_t * dst) +static int copy_one_page(struct mm_struct *mm, unsigned long old_addr, unsigned long new_addr) { - int error = 0; - pte_t pte = *src; + pte_t * src, * dst; - if (!pte_none(pte)) { - error++; - if (dst) { - pte_clear(src); - set_pte(dst, pte); - error--; + src = get_one_pte(mm, old_addr); + if (src && !pte_none(*src)) { + if ((dst = alloc_one_pte(mm, new_addr))) { + set_pte(dst, *src); + return 0; } + return 1; } - return error; -} - -static int move_one_page(struct mm_struct *mm, unsigned long old_addr, unsigned long new_addr) -{ - int error = 0; - pte_t * src; - - src = get_one_pte(mm, old_addr); - if (src) - error = copy_one_pte(src, alloc_one_pte(mm, new_addr)); - return error; + return 0; } -static int move_page_tables(struct mm_struct * mm, +static int copy_page_tables(struct mm_struct * mm, unsigned long new_addr, unsigned long old_addr, unsigned long len) { unsigned long offset = len; @@ -99,7 +88,7 @@ */ while (offset) { offset -= PAGE_SIZE; - if (move_one_page(mm, old_addr + offset, new_addr + offset)) + if (copy_one_page(mm, old_addr + offset, new_addr + offset)) goto oops_we_failed; } return 0; @@ -113,8 +102,6 @@ */ oops_we_failed: flush_cache_range(mm, new_addr, new_addr + len); - while ((offset += PAGE_SIZE) < len) - move_one_page(mm, new_addr + offset, old_addr + offset); zap_page_range(mm, new_addr, len); flush_tlb_range(mm, new_addr, new_addr + len); return -1; @@ -129,7 +116,9 @@ if (new_vma) { unsigned long new_addr = get_unmapped_area(addr, new_len); - if (new_addr && !move_page_tables(current->mm, new_addr, addr, old_len)) { + if (new_addr && !copy_page_tables(current->mm, new_addr, addr, old_len)) { + unsigned long ret; + *new_vma = *vma; new_vma->vm_start = new_addr; new_vma->vm_end = new_addr+new_len; @@ -138,9 +127,19 @@ new_vma->vm_file->f_count++; if (new_vma->vm_ops && new_vma->vm_ops->open) new_vma->vm_ops->open(new_vma); + if ((ret = do_munmap(addr, old_len))) { + if (new_vma->vm_ops && new_vma->vm_ops->close) + new_vma->vm_ops->close(new_vma); + if (new_vma->vm_file) + fput(new_vma->vm_file); + flush_cache_range(current->mm, new_addr, new_addr + old_len); + zap_page_range(current->mm, new_addr, old_len); + flush_tlb_range(current->mm, new_addr, new_addr + old_len); + kmem_cache_free(vm_area_cachep, new_vma); + return ret; + } insert_vm_struct(current->mm, new_vma); merge_segments(current->mm, new_vma->vm_start, new_vma->vm_end); - do_munmap(addr, old_len); current->mm->total_vm += new_len >> PAGE_SHIFT; if (new_vma->vm_flags & VM_LOCKED) { current->mm->locked_vm += new_len >> PAGE_SHIFT; @@ -176,9 +175,9 @@ * Always allow a shrin
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it I had a privat discussion about this patch with someone from the Debian Security Team and he's not very happy with this patch. First it changes some printk messages wich is uncommon for sec patches. Second it changes functions which can result in kernel incompatibility. Anyway I had a kernel panic short after deploying this patch on one of my boxes here. I'm not sure if it's related to this patch but strange anyway. If you can I would advise you to wait until the OpenWall project comes up with a clean patch. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
> 2.2 series of kernels, sincee they're apparently vulnerable too? You can find the patch on bugtraq/isec/etc, attached is a peek at it -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 --- linux/mm/mremap.c.security Sun Mar 25 20:31:03 2001 +++ linux/mm/mremap.c Thu Feb 19 05:10:34 2004 @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -25,7 +26,7 @@ if (pgd_none(*pgd)) goto end; if (pgd_bad(*pgd)) { - printk("move_one_page: bad source pgd (%08lx)\n", pgd_val(*pgd)); + printk("copy_one_page: bad source pgd (%08lx)\n", pgd_val(*pgd)); pgd_clear(pgd); goto end; } @@ -34,7 +35,7 @@ if (pmd_none(*pmd)) goto end; if (pmd_bad(*pmd)) { - printk("move_one_page: bad source pmd (%08lx)\n", pmd_val(*pmd)); + printk("copy_one_page: bad source pmd (%08lx)\n", pmd_val(*pmd)); pmd_clear(pmd); goto end; } @@ -57,34 +58,22 @@ return pte; } -static inline int copy_one_pte(pte_t * src, pte_t * dst) +static int copy_one_page(struct mm_struct *mm, unsigned long old_addr, unsigned long new_addr) { - int error = 0; - pte_t pte = *src; + pte_t * src, * dst; - if (!pte_none(pte)) { - error++; - if (dst) { - pte_clear(src); - set_pte(dst, pte); - error--; + src = get_one_pte(mm, old_addr); + if (src && !pte_none(*src)) { + if ((dst = alloc_one_pte(mm, new_addr))) { + set_pte(dst, *src); + return 0; } + return 1; } - return error; -} - -static int move_one_page(struct mm_struct *mm, unsigned long old_addr, unsigned long new_addr) -{ - int error = 0; - pte_t * src; - - src = get_one_pte(mm, old_addr); - if (src) - error = copy_one_pte(src, alloc_one_pte(mm, new_addr)); - return error; + return 0; } -static int move_page_tables(struct mm_struct * mm, +static int copy_page_tables(struct mm_struct * mm, unsigned long new_addr, unsigned long old_addr, unsigned long len) { unsigned long offset = len; @@ -99,7 +88,7 @@ */ while (offset) { offset -= PAGE_SIZE; - if (move_one_page(mm, old_addr + offset, new_addr + offset)) + if (copy_one_page(mm, old_addr + offset, new_addr + offset)) goto oops_we_failed; } return 0; @@ -113,8 +102,6 @@ */ oops_we_failed: flush_cache_range(mm, new_addr, new_addr + len); - while ((offset += PAGE_SIZE) < len) - move_one_page(mm, new_addr + offset, old_addr + offset); zap_page_range(mm, new_addr, len); flush_tlb_range(mm, new_addr, new_addr + len); return -1; @@ -129,7 +116,9 @@ if (new_vma) { unsigned long new_addr = get_unmapped_area(addr, new_len); - if (new_addr && !move_page_tables(current->mm, new_addr, addr, old_len)) { + if (new_addr && !copy_page_tables(current->mm, new_addr, addr, old_len)) { + unsigned long ret; + *new_vma = *vma; new_vma->vm_start = new_addr; new_vma->vm_end = new_addr+new_len; @@ -138,9 +127,19 @@ new_vma->vm_file->f_count++; if (new_vma->vm_ops && new_vma->vm_ops->open) new_vma->vm_ops->open(new_vma); + if ((ret = do_munmap(addr, old_len))) { + if (new_vma->vm_ops && new_vma->vm_ops->close) + new_vma->vm_ops->close(new_vma); + if (new_vma->vm_file) + fput(new_vma->vm_file); + flush_cache_range(current->mm, new_addr, new_addr + old_len); + zap_page_range(current->mm, new_addr, old_len); + flush_tlb_range(current->mm, new_addr, new_addr + old_len); + kmem_cache_free(vm_area_cachep, new_vma); + return ret; + } insert_vm_struct(current->mm, new_vma); merge_segments(current->mm, new_vma->vm_start, new_vma->vm_end); - do_munmap(addr, old_len); current->mm->total_vm += new_len >> PAGE_SHIFT; if (new_vma->vm_flags & VM_LOCKED) { current->mm->locked_vm += new_len >> PAGE_SHIFT; @@ -176,9 +175,9 @@ * Always allow a shrinking
2.2 Kernel Fix
Are we going to see a patch for the recent mremap() problem for the 2.2 series of kernels, sincee they're apparently vulnerable too? J' -- PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://wwwkeys.pgp.net or any PGP keyserver for public key. pgp6VJ7S6VQlV.pgp Description: PGP signature
2.2 Kernel Fix
Are we going to see a patch for the recent mremap() problem for the 2.2 series of kernels, sincee they're apparently vulnerable too? J' -- PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://wwwkeys.pgp.net or any PGP keyserver for public key. pgp0.pgp Description: PGP signature